auth.go

package clientv3

import (

    "fmt"

    "strings"

    "github.com/coreos/etcd/auth/authpb"

    pb "github.com/coreos/etcd/etcdserver/etcdserverpb"

    "golang.org/x/net/context"

    "google.golang.org/grpc"

)

type (

    AuthEnableResponse               pb.AuthEnableResponse

    AuthDisableResponse              pb.AuthDisableResponse

    AuthenticateResponse             pb.AuthenticateResponse

    AuthUserAddResponse              pb.AuthUserAddResponse

    AuthUserDeleteResponse           pb.AuthUserDeleteResponse

    AuthUserChangePasswordResponse   pb.AuthUserChangePasswordResponse

    AuthUserGrantRoleResponse        pb.AuthUserGrantRoleResponse

    AuthUserGetResponse              pb.AuthUserGetResponse

    AuthUserRevokeRoleResponse       pb.AuthUserRevokeRoleResponse

    AuthRoleAddResponse              pb.AuthRoleAddResponse

    AuthRoleGrantPermissionResponse  pb.AuthRoleGrantPermissionResponse

    AuthRoleGetResponse              pb.AuthRoleGetResponse

    AuthRoleRevokePermissionResponse pb.AuthRoleRevokePermissionResponse

    AuthRoleDeleteResponse           pb.AuthRoleDeleteResponse

    AuthUserListResponse             pb.AuthUserListResponse

    AuthRoleListResponse             pb.AuthRoleListResponse

    PermissionType authpb.Permission_Type

    Permission     authpb.Permission

)

const (

    PermRead      = authpb.READ

    PermWrite     = authpb.WRITE

    PermReadWrite = authpb.READWRITE

)

type Auth interface {

    // AuthEnable enables auth of an etcd cluster.

       //开启授权在 etcd集群中

    AuthEnable(ctx context.Context) (*AuthEnableResponse, error)

    // AuthDisable disables auth of an etcd cluster.

//关闭授权 在集群中

    AuthDisable(ctx context.Context) (*AuthDisableResponse, error)

    // UserAdd adds a new user to an etcd cluster.

//添加一个用户到集群中

    UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)

    // UserDelete deletes a user from an etcd cluster.

//在集群中删除一个用户

    UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)

    // UserChangePassword changes a password of a user.

//改变集群中一个用户密码

    UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)

    // UserGrantRole grants a role to a user.

//授权一个角色给一个用户

    UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error)

    // UserGet gets a detailed information of a user.

//得到一个用户信息信息

    UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error)

    // UserList gets a list of all users.

    UserList(ctx context.Context) (*AuthUserListResponse, error)

    // UserRevokeRole revokes a role of a user.

//撤销一个用户的角色

    UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error)

    // RoleAdd adds a new role to an etcd cluster.

//在集群中 添加一个角色

    RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)

    // RoleGrantPermission grants a permission to a role.

//授权给一个角色的操作权限

    RoleGrantPermission(ctx context.Context, name string, key, rangeEnd string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error)

    // RoleGet gets a detailed information of a role.

//获取一个角色的详细信息

    RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error)

    // RoleList gets a list of all roles.

//获取集群中 所有的角色列表

    RoleList(ctx context.Context) (*AuthRoleListResponse, error)

    // RoleRevokePermission revokes a permission from a role.

//撤销一个角色对应的权限  与RoleGrantPermission  相反的操作

    RoleRevokePermission(ctx context.Context, role string, key, rangeEnd string) (*AuthRoleRevokePermissionResponse, error)

    // RoleDelete deletes a role.

//删除一个角色

    RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error)

}

//授权结构体

type auth struct {

    c *Client

    conn   *grpc.ClientConn // conn in-use

    remote pb.AuthClient

}

//新建一个授权对象

func NewAuth(c *Client) Auth {

    conn := c.ActiveConnection()

    return &auth{

        conn:   c.ActiveConnection(),

        remote: pb.NewAuthClient(conn),

        c:      c,

    }

}

//

func (auth *auth) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) {

    resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{}, grpc.FailFast(false))

    return (*AuthEnableResponse)(resp), toErr(ctx, err)

}

func (auth *auth) AuthDisable(ctx context.Context) (*AuthDisableResponse, error) {

    resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{}, grpc.FailFast(false))

    return (*AuthDisableResponse)(resp), toErr(ctx, err)

}

func (auth *auth) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) {

    resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password})

    return (*AuthUserAddResponse)(resp), toErr(ctx, err)

}

func (auth *auth) UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) {

    resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name})

    return (*AuthUserDeleteResponse)(resp), toErr(ctx, err)

}

func (auth *auth) UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) {

    resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password})

    return (*AuthUserChangePasswordResponse)(resp), toErr(ctx, err)

}

func (auth *auth) UserGrantRole(ctx context.Context, user string, role string) (*AuthUserGrantRoleResponse, error) {

    resp, err := auth.remote.UserGrantRole(ctx, &pb.AuthUserGrantRoleRequest{User: user, Role: role})

    return (*AuthUserGrantRoleResponse)(resp), toErr(ctx, err)

}

func (auth *auth) UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error) {

    resp, err := auth.remote.UserGet(ctx, &pb.AuthUserGetRequest{Name: name}, grpc.FailFast(false))

    return (*AuthUserGetResponse)(resp), toErr(ctx, err)

}

func (auth *auth) UserList(ctx context.Context) (*AuthUserListResponse, error) {

    resp, err := auth.remote.UserList(ctx, &pb.AuthUserListRequest{}, grpc.FailFast(false))

    return (*AuthUserListResponse)(resp), toErr(ctx, err)

}

func (auth *auth) UserRevokeRole(ctx context.Context, name string, role string) (*AuthUserRevokeRoleResponse, error) {

    resp, err := auth.remote.UserRevokeRole(ctx, &pb.AuthUserRevokeRoleRequest{Name: name, Role: role})

    return (*AuthUserRevokeRoleResponse)(resp), toErr(ctx, err)

}

func (auth *auth) RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) {

    resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name})

    return (*AuthRoleAddResponse)(resp), toErr(ctx, err)

}

func (auth *auth) RoleGrantPermission(ctx context.Context, name string, key, rangeEnd string, permType PermissionType) (*AuthRoleGrantPermissionResponse, error) {

    perm := &authpb.Permission{

        Key:      []byte(key),

        RangeEnd: []byte(rangeEnd),

        PermType: authpb.Permission_Type(permType),

    }

    resp, err := auth.remote.RoleGrantPermission(ctx, &pb.AuthRoleGrantPermissionRequest{Name: name, Perm: perm})

    return (*AuthRoleGrantPermissionResponse)(resp), toErr(ctx, err)

}

func (auth *auth) RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error) {

    resp, err := auth.remote.RoleGet(ctx, &pb.AuthRoleGetRequest{Role: role}, grpc.FailFast(false))

    return (*AuthRoleGetResponse)(resp), toErr(ctx, err)

}

func (auth *auth) RoleList(ctx context.Context) (*AuthRoleListResponse, error) {

    resp, err := auth.remote.RoleList(ctx, &pb.AuthRoleListRequest{}, grpc.FailFast(false))

    return (*AuthRoleListResponse)(resp), toErr(ctx, err)

}

func (auth *auth) RoleRevokePermission(ctx context.Context, role string, key, rangeEnd string) (*AuthRoleRevokePermissionResponse, error) {

    resp, err := auth.remote.RoleRevokePermission(ctx, &pb.AuthRoleRevokePermissionRequest{Role: role, Key: key, RangeEnd: rangeEnd})

    return (*AuthRoleRevokePermissionResponse)(resp), toErr(ctx, err)

}

func (auth *auth) RoleDelete(ctx context.Context, role string) (*AuthRoleDeleteResponse, error) {

    resp, err := auth.remote.RoleDelete(ctx, &pb.AuthRoleDeleteRequest{Role: role})

    return (*AuthRoleDeleteResponse)(resp), toErr(ctx, err)

}

func StrToPermissionType(s string) (PermissionType, error) {

    val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]

    if ok {

        return PermissionType(val), nil

    }

    return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)

}

type authenticator struct {

    conn   *grpc.ClientConn // conn in-use

    remote pb.AuthClient

}

func (auth *authenticator) authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error) {

    resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password}, grpc.FailFast(false))

    return (*AuthenticateResponse)(resp), toErr(ctx, err)

}

func (auth *authenticator) close() {

    auth.conn.Close()

}

func newAuthenticator(endpoint string, opts []grpc.DialOption) (*authenticator, error) {

    conn, err := grpc.Dial(endpoint, opts...)

    if err != nil {

        return nil, err

    }

    return &authenticator{

        conn:   conn,

        remote: pb.NewAuthClient(conn),

    }, nil

}